“The process of hiring and using a third-party data recovery vendor is handled by the help line desk, the back office, or the low-level technician. And it’s so low cost in the budget that it is not on anybody’s radar for discussion, which means it’s not part of any IT or information security risk assessment or any vendor management risk assessment practices”, Reymann told Infosecurity.
“There’s got to be a lot of data going out the back door to be recovered and coming back in, and who knows what’s happening to it while it’s in the third-party vendor hands or, more importantly, what’s on the device when it comes back”, he added.
According to a survey by the Ponemon Institute commissioned by DriveSavers Data Recovery, 19% of those who had experienced a data breach in the previous two years said that it had occurred when a hard drive was in the possession of a third-party data recovery vendor.
Ponemon surveyed 636 IT security and IT support practitioners who were involved in their organization’s data security or data recovery operations. The survey also found that only 20% said that data security is a major concern when selecting a third-party data recovery vendor, but 82% said it should be.
Reymann said the Ponemon study identified a “smoking gun” where a major data breach occurred as a result of a third-party data recovery vendor. A senior vice president at a large bank needed to get data off of a crashed hard drive, and the bank's IT help line sent it out to a third-party data recovery vendor and received the recovered data 10 hours later. Two weeks later, the bank received notification from clients that their identities had been stolen. The bank discovered that the clients were the ones on the hard drive that was sent to the vendor for data recovery. The bank found that the third-party vendor had hired a person who had a criminal background of identity theft, he related.
“So there’s the smoking gun. In how many cases do you think that is happening today?”, Reymann added.
Reymann and Michael Hall, chief information security officer at DriveSavers, have been meeting with regulators and industry to inform them about this information security gap.
The National Institute for Standards and Technology (NIST) took action and updated their publication Contigency Planning Guide for Federal Information Systems (NIST SP 800.34) to address the security risk associated with using data recovery vendors without proper security protocols.
One US government body that has strong third-party data recovery security processes in place is Lawrence Livermore National Laboratory, noted Neda Gray, information systems security officer for operations and business at the lab.
“What we try to do in terms of third-party data recovery vendor security is to assess the quality of care and security taken in handling the data we send off because our data is very sensitive and can affect national security”, Gray told Infosecurity.
Regarding the security gap for third-party data recovery vendors in the private sector, Reymann concluded: “It is an easy fix. You consider third-party data recovery vendors…as part of your vendor management practices, IT risk assessment methodologies, information security policies and procedures, and you’re done. And make sure that you are including all employees in training programs, especially the help desk folks that are managing these types of vendors.”